Hit ENTER after each Tag to add it to your post; Numbers in parentheses represent the Tag's usage.

Hello,

I've recently added the correct DNS entries to enable autodiscover on Outlook, however, when I add an account, it's being added with SSL encryption instead of TLS encryption. Is there any way to force the highest level of encryption available for the client? (Yes, TLS is working when I manually set it).

Thanks!

Report Abuse

Offensive Content

Wrong Category

Spam

17 Replies

First off you shouldn't allow ANY SSL connections, only TLS. First test your server at https://www.ssllabs.com/ssltest/ and you can see what protocols and cipher suites your server is allowing. The default cipher suites on a Windows server a pretty BAD. Use a tool like IIS Crypto https://www.nartac.com/Products/IISCrypto/ and use the Best Practices button to secure your server (you will have to reboot). After doing this any SSL request will be forced to TLS.

Ban IP Address

Delete Confirmation

That would be news to me since I use it all the time. Every SSL protocol is now considered insecure and should not be used. You'd be surprised how many servers still support SSL 2.0 and they wonder why they get hacked. Poodle broke SSL 3.0.

Following my instructions above will simply force server communications via TLS and secure your server. The only Windows user issue is that if a user is using Windows XP with Internet Explorer 6 they couldn't connect to the webmail via https:// But this is really not an issue... I run Web Log Expert on my IIS SmarterMail logs and I've had 11 hits from Internet Explorer 6 in the last 180 days. Anyone running that combo has not updated anything on their system for years!

Ban IP Address

Delete Confirmation

I think things got things a bit mixed up. Whether you use implicit or explicit encryption (ie SSL/TLS in Outlook) has nothing to do with the encryption protocol. So you can negotiate TLS1.2 with port 993 for implicit (SSL on outlook) still, as well as use StartTLS on port 143 for explicit (TLS on Outlook). As far as AutoDiscover, you would probably have to make your own XML instead of using SmarterMail's as that just has implicit on the XML return.

Ban IP Address

Delete Confirmation

Outlook may be saying that but if you used the most recent IIS Crypto with Best Practices then your server will not accept a SSL connection. During the handshake the connection is stepped up to TLS regardless of what Outlook shows you.

If you're just wanting Autodiscover to show TLS instead of SSL I'm not sure how to do that. You could try removing all SSL Bindings from SmarterMail and leave the TLS Bindings in place.

Ban IP Address

Delete Confirmation

Joe,Looking at the schema there is no <TLS> option, it will just auto select between implicit/explicit from the <SSL> option.Link: http://technet.microsoft.com/en-us/library/cc511507%28v=office.14%29.aspx

If you don't have a port binding in the settings for 993 and it's displaying that available, I would definitely call that a bug.

As far as implicit transactions going away, I haven't see anything from MailOPs or any providers. Most usually recommend implicit as it will bypass filters such as an ASA/PIX doing smtp fixup from disabling encryption all together.

Ban IP Address

Delete Confirmation

Sorry to harp on this but you got me riled. Using TLS on Outlook could still be vulnerable to Poodle if you probably didn't disable SSL3 in regedit. To test:openssl s_client -connect server.domain.com:587 -starttls smtp -crlfPS. add -crlf if you actually want to type something to windows server on the previous comment.

Report Abuse

Offensive Content

Wrong Category

Spam

Ban User

Are you sure you want to ban this user?

Ban IP Address

Are you sure you want to ban this IP Address?

Delete Confirmation

There is a secret feature of the autodiscover.xml file. Remove <SSL>on</SSL> and replace it with <Encryption>TLS</Encryption>. Works fine, at least for SMTP in Outlook 2010. I had tested it and is working for me

Report Abuse

Offensive Content

Wrong Category

Spam

Ban User

Are you sure you want to ban this user?

Ban IP Address

Are you sure you want to ban this IP Address?

Delete Confirmation

I'm not sure where you're making these changes. You can't edit the autodiscover.xml file, but you can determine what it reports by editing the mailconfig.xml file. I find no SSL entry as you describe in the mailconfig.xml file. So where are you making these changes? What version of SM?

Thanks,-Joe

Report Abuse

Offensive Content

Wrong Category

Spam

Ban User

Are you sure you want to ban this user?

Ban IP Address

Are you sure you want to ban this IP Address?

Delete Confirmation

Has anyone figured out a way to do this yet? Ive removed all SSL from my server, so when I check SSL in the Protocol Settings -> Autodiscovery section, im unable to login from Outlook until I manually change that drop-down in the Advanced options tab. I see the SMTPSSL tag in the autodiscovery section in the mailConfig.xml file, but I cant figure out a TLS-related tag. Anyone? Thoughts? Thanks.

Report Abuse

Offensive Content

Wrong Category

Spam

Ban User

Are you sure you want to ban this user?

Ban IP Address

Are you sure you want to ban this IP Address?

Delete Confirmation

It's going to take some help from SmarterTools to make Autodiscover work properly. Right now my suggestion is to change your mailconfig.xml autodiscover ports back to SMTP 587, IMAP 143, POP 110, and all the SSL to false. This will at least let Outlook Autodiscover work, but not SSL or TLS. I've tried adding the TLS true lines to the mailconfig.xml but SmarterMail ignores this variable. Since SSL is gone we need Autoconfigure TLS fast.

Thanks,-Joe

Report Abuse

Offensive Content

Wrong Category

Spam

Ban User

Are you sure you want to ban this user?

Ban IP Address

Are you sure you want to ban this IP Address?

Delete Confirmation

Autodiscover works with the TLS ports (587, 993, 995), just not with the SSL checkbox enabled. It seems the best route for the time being is to enable TLS on 25, 110, 143, set autodiscover to use those ports, but without SSL checked, and instruct users to manually set the Outlook drop-down to TLS after autodiscovering.. I say to use 25,110,143 because Outlook will change to those port numbers when you change the drop-down, and users get confused easily... ;)